providers/vmware: allow avoiding iopl permission errors

This introduces a fallback path for the backdoor-opening logic, in order to allow consuming applications to keep going when changing I/O access level is not allowed. Privileged mode is in theory more reliable but `kernel_lockdown(7)` may block it due to `iopl()` usage. Thus, we try that first and fall back if kernel blocks it.
coreos · Oct 8, 2020 · 3699493 · 3699493
1 parent ffbfda8
commit 3699493
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/providers/vmware/amd64.rs b/src/providers/vmware/amd64.rs
@@ -16,7 +16,15 @@ impl VmwareProvider {
             bail!("not running on VMWare CPU");
         }
 
-        let mut backdoor = vmw_backdoor::probe_backdoor()?;
+        // NOTE(lucab): privileged mode is in theory more reliable but
+        //  `kernel_lockdown(7)` may block it due to `iopl()` usage.
+        //  Thus, we try that first and fall back if kernel blocks it.
+        let mut backdoor = vmw_backdoor::probe_backdoor_privileged().or_else(|e| {
+            slog_scope::warn!("failed to probe backdoor in privileged mode: {}", e);
+            slog_scope::warn!("falling back to unprivileged backdoor access");
+            vmw_backdoor::probe_backdoor()
+        })?;
+
         let mut erpc = backdoor.open_enhanced_chan()?;
         let guestinfo_net_kargs = Self::fetch_guestinfo(&mut erpc, INITRD_NET_KARGS)?;